| 1 | |
|---|
| 2 | SSLEngine on |
|---|
| 3 | SSLCertificateFile /xxx/server.pem |
|---|
| 4 | SSLCertificateKeyFile /xxx/server.key |
|---|
| 5 | |
|---|
| 6 | # Chain for the server - not for client verification (though in this simple |
|---|
| 7 | # case they _happen_ to be the same!). |
|---|
| 8 | SSLCACertificateChainFile /xxx/root.pem |
|---|
| 9 | |
|---|
| 10 | SSLVerifyClient none |
|---|
| 11 | SSLVerifyDepth 3 |
|---|
| 12 | |
|---|
| 13 | Alias /trac/ "/xxx/trac/" |
|---|
| 14 | <Directory "/xxx/trac"> |
|---|
| 15 | Options Indexes FollowSymLinks |
|---|
| 16 | AllowOverride None |
|---|
| 17 | Order allow,deny |
|---|
| 18 | Allow from all |
|---|
| 19 | |
|---|
| 20 | # Insist on a valid SSL certificate, issued by |
|---|
| 21 | # *any* of our CA's. |
|---|
| 22 | SSLCACertificateFile /xxx/root.pem |
|---|
| 23 | SSLVerifyClient require |
|---|
| 24 | |
|---|
| 25 | SSLOptions StdEnvVars ExportCertData FakeBasicAuth |
|---|
| 26 | |
|---|
| 27 | # SSLRequireSSL SSLRequire %{SSL_CLIENT_S_DN_O} eq "My Org" and .... |
|---|
| 28 | |
|---|
| 29 | # mod_python speeds things up considerably |
|---|
| 30 | SetHandler mod_python |
|---|
| 31 | PythonHandler trac.web.modpython_frontend |
|---|
| 32 | PythonOption TracEnvParentDir "/var/trac" |
|---|
| 33 | PythonOption TracUriRoot "/trac" |
|---|
| 34 | |
|---|
| 35 | # Fake up authentication so that trac thinks we're doing |
|---|
| 36 | # basic auth. |
|---|
| 37 | # |
|---|
| 38 | AuthType Basic |
|---|
| 39 | AuthName "my track" |
|---|
| 40 | |
|---|
| 41 | # We're to lazy to create a 'htpasswd' file as generally |
|---|
| 42 | # done with FakeBasicAuth - hence we use anon to allow |
|---|
| 43 | # any valid cert in. Trac will do the right thing. |
|---|
| 44 | # |
|---|
| 45 | AuthBasicProvider anon |
|---|
| 46 | Anonymous "*" |
|---|
| 47 | Require valid-user |
|---|
| 48 | |
|---|
| 49 | # further authorization is handled internally by trac |
|---|
| 50 | </Directory> |
|---|
| 51 | |
|---|
| 52 | |
|---|
| 53 | <Location "/svn"> |
|---|
| 54 | DAV svn |
|---|
| 55 | SVNParentPath /xxx/svn |
|---|
| 56 | |
|---|
| 57 | SSLCACertificateFile /xxx/root.pem |
|---|
| 58 | SSLVerifyClient require |
|---|
| 59 | |
|---|
| 60 | # SSLRequire %{SSL_CLIENT_S_DN_O} eq "My Org..." |
|---|
| 61 | |
|---|
| 62 | # Pull authentication information in as to allow svn to use the CN in its logs. |
|---|
| 63 | # |
|---|
| 64 | SSLOptions StdEnvVars ExportCertData FakeBasicAuth |
|---|
| 65 | AuthType Basic |
|---|
| 66 | AuthName "my svn" |
|---|
| 67 | |
|---|
| 68 | # We do not want to keep an htaccess list with the DN's - so we let anyone |
|---|
| 69 | # authenticated in |
|---|
| 70 | AuthBasicProvider anon |
|---|
| 71 | Anonymous "*" |
|---|
| 72 | Require valid-user |
|---|
| 73 | </Location> |
|---|
| 74 | |
|---|
| 75 | |
|---|
